by Malcolm Rowe

Security by email address

I have a few online accounts that I end up using only very occasionally, and that I only have because the merchant or site forced me to register. Typically, I have no idea what the password for the account is (because I didn’t care enough to write it down in the first place), so I usually go through the following steps:

  1. Get to login form.
  2. Enter my email address and find out that I already have an account. Choose the ‘forgot password’ link.
  3. Receive an email telling me that my password is now vx4n3gikg, or something equally memorable; alternately, receive an email sending me to a page where I can change my password, wherein I change it to something I instantly forget.
  4. Complete my transaction, and fail to care enough to write down my password.

It occurred to me today that this boils down to proving that I can receive email at a given address, and I’d be a lot happier if the website just made that explicit: for example, by allowing me to request a one-time login URL for a given email address, and forgetting about the password thing entirely.

(Even better would be allowing me to complete a transaction without creating an account, but only a small number of merchants seem to do that, annoyingly. It’s not like user accounts have any monetary value — do they?).